Password Reset By User Account

Detect when a user has reset their password in Azure AD

Sigma rule (View on GitHub)

 1title: Password Reset By User Account
 2id: 340ee172-4b67-4fb4-832f-f961bdc1f3aa
 3status: test
 4description: Detect when a user has reset their password in Azure AD
 5references:
 6    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts
 7author: YochanaHenderson, '@Yochana-H'
 8date: 2022-08-03
 9tags:
10    - attack.persistence
11    - attack.credential-access
12    - attack.t1078.004
13logsource:
14    product: azure
15    service: auditlogs
16detection:
17    selection:
18        Category: 'UserManagement'
19        Status: 'Success'
20        Initiatedby: 'UPN'
21    filter:
22        Target|contains: 'UPN'
23        ActivityType|contains: 'Password reset'
24    condition: selection and filter
25falsepositives:
26    - If this was approved by System Administrator or confirmed user action.
27level: medium

References

Related rules

to-top